SlideShare une entreprise Scribd logo
1  sur  100
Télécharger pour lire hors ligne
Effec%ve	
  Approaches	
  to	
  Web	
  
Applica%on	
  Security	
  
	
  
	
  
zane@signalsciences.com	
  	
  
@zanelackey	
  
Who	
  am	
  I?	
  	
  
•  Co-­‐Founder	
  /	
  CSO	
  at	
  Signal	
  Sciences	
  
•  Built	
  and	
  led	
  the	
  Etsy	
  Security	
  Team	
  
•  Prior	
  to	
  that,	
  offensive	
  research	
  and	
  
penetra%on	
  tes%ng	
  @	
  iSEC	
  Partners	
  	
  
	
  	
  
About	
  this	
  talk	
  	
  
	
  
	
  
Real	
  world	
  approaches	
  to	
  web	
  applica%on	
  
security	
  challenges	
  	
  
	
  
About	
  this	
  talk	
  	
  
	
  
	
  
Specifically,	
  techniques	
  that	
  are	
  simple	
  and	
  
effec*ve	
  	
  
	
  
 
	
  
Con%nuous	
  deployment?	
  
<-­‐	
  What	
  it	
  
(hopefully)	
  
isn’t	
  	
  
 
	
  
Three	
  words:	
  iterate,	
  iterate,	
  iterate	
  
Effective approaches to web application security
 
	
  
Etsy	
  pushes	
  to	
  produc%on	
  30	
  *mes	
  a	
  day	
  on	
  
average	
  	
  
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  (dogs	
  push	
  too)	
  	
  
 
	
  
But	
  doesn’t	
  the	
  rapid	
  
rate	
  of	
  change	
  mean	
  
things	
  are	
  less	
  
secure?!	
  
Actually,	
  the	
  opposite	
  is	
  
true	
  
 
	
  
Being	
  able	
  to	
  deploy	
  quick	
  is	
  our	
  #1	
  security	
  
feature	
  	
  
	
  
Compared	
  to	
  	
  
	
  
We’ll	
  rush	
  that	
  security	
  fix.	
  	
  It	
  will	
  go	
  out	
  …	
  in	
  
about	
  6	
  weeks.	
  
	
  
-­‐	
  Former	
  vendor	
  at	
  Etsy	
  
What	
  it	
  boils	
  down	
  to	
  
(spoiler	
  alert)	
  
	
  
•  Make	
  things	
  safe	
  by	
  default	
  
•  Detect	
  risky	
  func%onality	
  /	
  Focus	
  your	
  efforts	
  	
  
•  Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  	
  
 
	
  
Safe	
  by	
  default	
  
 
	
  
How	
  have	
  the	
  tradi%onal	
  defenses	
  for	
  XSS	
  
worked	
  out?	
  	
  
	
  
	
  
Effective approaches to web application security
Safe	
  by	
  default	
  
•  Problems?	
  	
  
–  OZen	
  done	
  on	
  a	
  per-­‐input	
  basis	
  
•  Easy	
  to	
  miss	
  an	
  input	
  or	
  output	
  	
  
–  May	
  use	
  defenses	
  in	
  wrong	
  context	
  
•  Input	
  valida%on	
  paern	
  may	
  block	
  full	
  HTML	
  injec%on,	
  but	
  
not	
  injec%ng	
  inside	
  JS	
  
–  May	
  put	
  defenses	
  on	
  the	
  client	
  side	
  in	
  JS	
  
–  Etc	
  …	
  
These	
  problems	
  miss	
  the	
  point	
  
Safe	
  by	
  default	
  
•  The	
  real	
  problem	
  is	
  that	
  it’s	
  hard	
  to	
  find	
  where	
  
protec%ons	
  have	
  been	
  missed	
  	
  
	
  
	
  
•  How	
  can	
  we	
  change	
  our	
  approach	
  to	
  make	
  it	
  
simpler?	
  	
  
Safe	
  by	
  default	
  
	
  
	
  
Input	
  valida%on	
  
Output	
  encoding	
  
Safe	
  by	
  default	
  
	
  
	
  
Input	
  valida%on	
  
Output	
  encoding	
  
Safe	
  by	
  default	
  
	
  
Encode	
  dangerous	
  HTML	
  characters	
  to	
  HTML	
  
en%%es	
  at	
  the	
  very	
  start	
  of	
  your	
  framework	
  	
  
	
  
To	
  repeat…	
  Before	
  input	
  reaches	
  main	
  
applica%on	
  code	
  	
  
Safe	
  by	
  default	
  
	
  
	
  
	
  
On	
  the	
  surface	
  this	
  doesn’t	
  seem	
  like	
  much	
  of	
  a	
  
change	
  
Safe	
  by	
  default	
  
	
  
	
  
	
  
Except,	
  we’ve	
  just	
  made	
  lots	
  of	
  XSS	
  problems	
  
grep-­‐able	
  
 
	
  
	
  
Safe	
  by	
  default	
  
Now	
  we	
  look	
  for	
  a	
  small	
  number	
  of	
  paerns:	
  
•  HTML	
  en%ty	
  decoding	
  func%ons	
  or	
  explicit	
  string	
  
replacements	
  
•  Data	
  in	
  formats	
  that	
  won’t	
  be	
  sani%zed	
  	
  
–  Ex:	
  Base64	
  encoded,	
  double	
  URL	
  encoded,	
  etc	
  
•  Code	
  that	
  opts	
  out	
  of	
  plaeorm	
  protec%ons	
  
Safe	
  by	
  default	
  
Fundamentally	
  shiZs	
  us:	
  
	
  From:	
  “Where	
  is	
  my	
  app	
  missing	
  protec%ons?”	
  
(hard)	
  	
  
	
   	
   	
   	
   	
   	
  	
  
	
  To:	
  “Where	
  is	
  it	
  made	
  deliberately	
  unsafe?”	
  
(easy)	
  	
  
Safe	
  by	
  default	
  
Obviously	
  not	
  a	
  panacea	
  	
  
– DOM	
  based	
  XSS	
  	
  
– Javascript:	
  URLs	
  
– Can	
  be	
  a	
  pain	
  during	
  interna%onaliza%on	
  efforts	
  
 
	
  
Focus	
  your	
  efforts	
  
Focus	
  your	
  efforts	
  	
  
•  Con%nuous	
  deployment	
  means	
  code	
  ships	
  fast	
  
•  Things	
  will	
  go	
  out	
  the	
  door	
  before	
  security	
  
team	
  knows	
  about	
  them	
  
•  How	
  can	
  we	
  detect	
  high	
  risk	
  func%onality?	
  
Detect	
  risky	
  func%onality	
  
•  Know	
  when	
  sensi%ve	
  por%ons	
  of	
  the	
  codebase	
  
have	
  been	
  modified	
  
	
  
•  Build	
  automa%c	
  change	
  aler%ng	
  on	
  the	
  
codebase	
  
– Iden%fy	
  sensi%ve	
  por%ons	
  of	
  the	
  codebase	
  	
  
– Create	
  automa%c	
  aler%ng	
  on	
  modifica%ons	
  	
  
Detect	
  risky	
  func%onality	
  
•  Doesn’t	
  have	
  to	
  be	
  complex	
  to	
  be	
  effec%ve	
  
•  Approach:	
  	
  
– sha1sum	
  sensi%ve	
  plaeorm	
  level	
  files	
  
– Unit	
  tests	
  alert	
  if	
  hash	
  of	
  the	
  file	
  changes	
  
– No%fies	
  security	
  team	
  on	
  changes,	
  drives	
  code	
  
review	
  
Detect	
  risky	
  func%onality	
  
•  At	
  the	
  plaeorm	
  level,	
  watching	
  for	
  changes	
  to	
  
site-­‐wide	
  sensi%ve	
  func%onality	
  	
  
– CSRF	
  defenses	
  
– Session	
  management	
  	
  
– Encryp%on	
  wrappers	
  
– Login/Authen%ca%on	
  
– Etc	
  
Detect	
  risky	
  func%onality	
  
•  At	
  the	
  feature	
  level,	
  watching	
  for	
  changes	
  to	
  
specific	
  sensi%ve	
  methods	
  
•  Iden%fying	
  these	
  methods	
  is	
  part	
  of	
  ini%al	
  
code	
  review/pen	
  test	
  of	
  new	
  features	
  
Detect	
  risky	
  func%onality	
  
•  Watch	
  for	
  dangerous	
  func%ons	
  	
  
•  Usual	
  candidates:	
  
– File	
  system	
  opera%ons	
  
– Process	
  execu%on/control	
  
– Encryp%on	
  /	
  Hashing	
  
– Etc	
  
Detect	
  risky	
  func%onality	
  
•  Unit	
  tests	
  watch	
  codebase	
  for	
  dangerous	
  
func%ons	
  	
  
– Split	
  into	
  separate	
  high	
  risk/low	
  risk	
  lists	
  
•  Alerts	
  are	
  emailed	
  to	
  the	
  appsec	
  team,	
  drive	
  
code	
  reviews	
  	
  	
  
Detect	
  risky	
  func%onality	
  
•  Find	
  out	
  about	
  unused	
  but	
  reachable	
  pages	
  
•  Any	
  files	
  s%ll	
  reachable	
  but	
  barely	
  requested	
  
are	
  probably	
  old	
  or	
  “temporary”	
  code	
  
– aka	
  a	
  goldmine	
  of	
  vulnerabili%es	
  	
  
Detect	
  risky	
  func%onality	
  
1.  Walk	
  DocumentRoot,	
  build	
  list	
  of	
  files	
  	
  
2.  Compare	
  each	
  file	
  against	
  access	
  log	
  
3.  Alert	
  on	
  any	
  files	
  accessed	
  <	
  X	
  %mes	
  in	
  last	
  30	
  
days	
  
Iden%fied	
  files	
  are	
  worth	
  a	
  manual	
  review,	
  can	
  
likely	
  be	
  removed	
  en%rely	
  
Detect	
  risky	
  func%onality	
  
•  Monitor	
  applica%on	
  traffic	
  
•  Purpose	
  is	
  twofold:	
  
– Detec%ng	
  risky	
  func%onality	
  that	
  was	
  missed	
  by	
  
earlier	
  processes	
  	
  
– Groundwork	
  for	
  aack	
  detec%on	
  and	
  verifica%on	
  	
  
Detect	
  risky	
  func%onality	
  
•  Regex	
  incoming	
  requests	
  at	
  the	
  framework	
  
– Sounds	
  like	
  performance	
  nightmare,	
  shockingly	
  
isn’t	
  	
  
•  Look	
  for	
  HTML/JS	
  in	
  request	
  	
  
– This	
  creates	
  a	
  huge	
  number	
  of	
  false	
  posi%ves	
  
•  That’s	
  by	
  design,	
  we	
  refine	
  the	
  search	
  later	
  
Detect	
  risky	
  func%onality	
  
•  We	
  deliberately	
  want	
  to	
  cast	
  a	
  wide	
  net	
  to	
  see	
  
HTML	
  entering	
  the	
  applica%on	
  	
  
•  From	
  there,	
  build	
  a	
  baseline	
  of	
  HTML	
  	
  
– Entering	
  the	
  applica%on	
  in	
  aggregate	
  	
  
– Received	
  by	
  specific	
  endpoints	
  
Detect	
  risky	
  func%onality	
  
What	
  to	
  watch	
  for:	
  
– Did	
  a	
  new	
  endpoint	
  suddenly	
  show	
  up?	
  	
  
•  A	
  new	
  risky	
  feature	
  might’ve	
  just	
  shipped	
  
– Did	
  the	
  amount	
  of	
  traffic	
  containing	
  HTML	
  just	
  
significantly	
  go	
  up?	
  	
  
•  Worth	
  inves%ga%ng	
  	
  
Detect	
  risky	
  func%onality	
  
	
  
Aggregate	
  increased,	
  %me	
  to	
  inves%gate	
  
 
	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Automate	
  finding	
  simple	
  issues	
  to	
  free	
  up	
  
resources	
  for	
  more	
  complex	
  tasks	
  
•  Use	
  aacker	
  traffic	
  to	
  automa%cally	
  drive	
  
tes%ng	
  	
  
•  We	
  call	
  it	
  A<ack	
  Driven	
  Tes@ng	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Some	
  cases	
  where	
  this	
  is	
  useful:	
  
– Applica%on	
  faults	
  	
  
– Reflected	
  XSS	
  
– SQLi	
  	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Applica%on	
  faults	
  (HTTP	
  5xx	
  errors)	
  
•  As	
  an	
  aacker,	
  these	
  are	
  one	
  of	
  the	
  first	
  signs	
  
of	
  weakness	
  in	
  an	
  app	
  
– As	
  a	
  defender,	
  pay	
  aen%on	
  to	
  them!	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Just	
  watching	
  for	
  5xx	
  errors	
  results	
  in	
  a	
  lot	
  of	
  
ephemeral	
  issues	
  that	
  don’t	
  reproduce	
  
•  Instead:	
  
– Grab	
  last	
  X	
  hours	
  worth	
  of	
  5xx	
  errors	
  from	
  access	
  
logs	
  
– Replay	
  the	
  original	
  request	
  
– Alert	
  on	
  any	
  requests	
  which	
  s%ll	
  return	
  a	
  5xx	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Cron	
  this	
  script	
  to	
  run	
  every	
  few	
  hours	
  
•  If	
  a	
  request	
  s%ll	
  triggers	
  an	
  applica%on	
  fault	
  
hours	
  later,	
  it’s	
  worth	
  inves%ga%ng	
  	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Similar	
  methodology	
  for	
  verifying	
  reflected	
  
XSS	
  
•  For	
  reflected	
  XSS	
  we:	
  
– Iden%fy	
  requests	
  containing	
  basic	
  XSS	
  payloads	
  
– Replay	
  the	
  request	
  	
  
– Alert	
  if	
  the	
  XSS	
  payload	
  executed	
  
	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Basic	
  payloads	
  commonly	
  used	
  in	
  tes%ng	
  for	
  
XSS:	
  
– alert()	
  
– document.write()	
  
– unescape()	
  
– String.fromCharCode()	
  	
  
– etc	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
	
  
	
  
	
  
We	
  created	
  a	
  tool	
  to	
  use	
  NodeJS	
  as	
  a	
  headless	
  
browser	
  for	
  verifica%on	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
Test	
  webserver	
  
1.	
  Fetch	
  URL	
  containing	
  poten%al	
  XSS	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
Test	
  webserver	
  
2.	
  Page	
  contents	
  returned	
  
to	
  a	
  temp	
  buffer,	
  not	
  
interpreted	
  yet	
  	
  	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
Test	
  webserver	
  
3.	
  Inject	
  our	
  instrumented	
  JS	
  into	
  page	
  contents	
  
+	
  
Our	
  JS	
   Page	
  contents	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
Test	
  webserver	
  
4.	
  Combina%on	
  of	
  instrumented	
  JS	
  +	
  page	
  
contents	
  interpreted	
  	
  
+	
  
Our	
  JS	
   Page	
  contents	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
Test	
  webserver	
  
5.	
  If	
  instrumented	
  JS	
  is	
  executed,	
  alert	
  
appsec	
  team	
  for	
  review	
  
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Sample	
  instrumented	
  JS:	
  
(function() {
var proxiedAlert = window.alert;
window.alert = function() {
location="XSSDETECTED";
};
})();
Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Open	
  sourced	
  NodeJS	
  tool	
  	
  
– hps://github.com/zanelackey/projects	
  	
  
•  Combine	
  this	
  approach	
  with	
  driving	
  a	
  browser	
  
via	
  Wa%r/Selenium	
  
– Make	
  sure	
  to	
  use	
  all	
  major	
  browsers	
  	
  
 
	
  
Know	
  when	
  the	
  house	
  is	
  
burning	
  down	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Graph	
  early,	
  graph	
  oCen	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Which	
  of	
  these	
  is	
  a	
  quicker	
  way	
  to	
  spot	
  a	
  
problem?	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  Methodology:	
  
– Instrument	
  applica%on	
  to	
  collect	
  data	
  points	
  
– Fire	
  them	
  off	
  to	
  an	
  aggrega%on	
  backend	
  	
  
– Build	
  individual	
  graphs	
  
– Combine	
  groups	
  of	
  graphs	
  into	
  dashboards	
  
•  We’ve	
  open	
  sourced	
  our	
  instrumenta%on	
  
library	
  
– hps://github.com/etsy/statsd	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Now	
  we	
  can	
  visually	
  spot	
  aacks	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
But	
  who’s	
  watching	
  at	
  4AM?	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  In	
  addi%on	
  to	
  data	
  visualiza%ons,	
  we	
  need	
  
automa%c	
  aler%ng	
  	
  
•  Look	
  at	
  the	
  raw	
  data	
  to	
  see	
  if	
  it	
  exceeds	
  
certain	
  thresholds	
  
•  Works	
  well	
  for	
  graphs	
  like	
  this…	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
But	
  not	
  like	
  this…	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  We	
  need	
  to	
  smooth	
  out	
  graphs	
  that	
  follow	
  
usage	
  paerns	
  
•  Use	
  exponen%al	
  smoothing	
  formulas	
  like	
  Holt-­‐
Winters	
  	
  
•  Math	
  is	
  hard,	
  let’s	
  look	
  at	
  screenshots!	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  Now	
  that	
  we’ve	
  smoothed	
  out	
  the	
  graphs…	
  
•  Use	
  the	
  same	
  approach	
  as	
  before:	
  
– Grab	
  the	
  raw	
  data	
  
– Look	
  for	
  values	
  above/below	
  a	
  set	
  threshold	
  	
  
– Alert	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Have	
  the	
  ability	
  to	
  quickly/easily	
  correlate	
  
events	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  Global	
  Request	
  IDs	
  
<?php	
  
global	
  $request_uuid;	
  
apache_note(’request_uuid',	
  $request_uuid);	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
[01/Aug/2012:16:37:41	
  +0000]	
  "GET	
  /members/twokb/payments	
  
HTTP/1.1"	
  200	
  "hps://XXX/members/twokb"	
  "Mozilla/5.0	
  (Windows	
  
NT	
  6.1;	
  WOW64)	
  AppleWebKit/536.11	
  (KHTML,	
  like	
  Gecko)	
  Chrome/
20.0.1132.57	
  Safari/536.11"	
  MF9JqDVpY93VOMreyvI2UC24wRjT	
  
[Wed	
  Aug	
  01	
  16:37:41	
  2012]	
  [MF9JqDVpY93VOMreyvI2UC24wRjT]	
  
[info]	
  [XXX]	
  [kbarry]	
  about	
  to	
  call	
  shop_get_data	
  for	
  shop:	
  [5971709]	
  
[Wed	
  Aug	
  01	
  16:37:41	
  2012]	
  [MF9JqDVpY93VOMreyvI2UC24wRjT]	
  
[info]	
  [XXX_audit]	
  [kbarry]	
  	
  ac%on="view_payments"	
  staff="kbarry"	
  
user_id="5597626"	
  sec%on="payment_info"	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Alert	
  on	
  events	
  that	
  (should)	
  never	
  happen	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Successful	
  aacks	
  don’t	
  happen	
  in	
  a	
  vacuum!	
  
They	
  generate	
  signals	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
1.  Iden%fy	
  the	
  signals	
  associated	
  with	
  a	
  
vulnerability	
  class	
  
2.  Alert	
  when	
  a	
  signal	
  occurs	
  
3.  Fix	
  the	
  iden%fied	
  weaknesses	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
Two	
  examples:	
  SQLi	
  and	
  code	
  execu%on	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  The	
  road	
  to	
  exploited	
  SQLi	
  is	
  liered	
  with	
  
broken	
  queries	
  	
  	
  
1.  Watch	
  the	
  logs	
  for	
  SQL	
  syntax	
  errors	
  
2.  Alert	
  when	
  they	
  appear	
  
3.  Fix	
  the	
  lack	
  of	
  valida%on	
  allowing	
  the	
  error	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  Further	
  along	
  the	
  aack	
  process,	
  a	
  SQLi	
  aack	
  
looks	
  like…	
  your	
  database	
  
•  Sensi%ve	
  DB	
  table	
  names	
  shouldn’t	
  be	
  
showing	
  up	
  in	
  requests	
  
– Alert	
  if	
  they	
  do!	
  	
  
•  aka	
  the	
  “Two	
  hours	
  un%l	
  the	
  db	
  is	
  up	
  on	
  pastebin”	
  alert	
  	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
A	
  funny	
  story	
  about	
  a	
  code	
  execu%on	
  vuln…	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  preg_replace()	
  in	
  PHP	
  has	
  an	
  interes%ng	
  
modifier	
  	
  
“e	
  (PREG_REPLACE_EVAL)	
  If	
  this	
  modifier	
  is	
  set,	
  
preg_replace()	
  does	
  normal	
  subs%tu%on	
  of	
  
backreferences	
  in	
  the	
  replacement	
  string,	
  	
  
evaluates	
  it	
  as	
  PHP	
  code,	
  and	
  uses	
  the	
  result	
  for	
  
replacing	
  the	
  search	
  string.	
  “	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
•  preg_replace()	
  in	
  PHP	
  has	
  an	
  interes%ng	
  
modifier	
  	
  
“e	
  (PREG_REPLACE_EVAL)	
  If	
  this	
  modifier	
  is	
  set,	
  
preg_replace()	
  does	
  normal	
  subs%tu%on	
  of	
  
backreferences	
  in	
  the	
  replacement	
  string,	
  
evaluates	
  it	
  as	
  PHP	
  code,	
  and	
  uses	
  the	
  result	
  for	
  
replacing	
  the	
  search	
  string.”	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
What	
  do	
  the	
  signals	
  for	
  this	
  look	
  like?	
  	
  
	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
	
  
	
  
	
  
	
  
You	
  can’t	
  fix	
  what	
  you’re	
  not	
  aler%ng	
  on	
  	
  
	
  
 
	
  
Conclusions	
  
Effective approaches to web application security
 
	
  
	
  
Have	
  the	
  ability	
  to	
  deploy/respond	
  quickly	
  
	
  
	
  
•  Make	
  things	
  safe	
  by	
  default	
  
•  Focus	
  your	
  efforts	
  /	
  Detect	
  risky	
  func%onality	
  
•  Automate	
  as	
  much	
  as	
  you	
  can	
  
•  Know	
  when	
  the	
  house	
  is	
  burning	
  down	
  	
  
Thanks!	
  
zane@signalsciences.com	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  @zanelackey	
  	
  
References	
  /	
  Thanks	
  
•  DevOpsSec:	
  
hp://www.slideshare.net/nickgsuperstar/
devopssec-­‐apply-­‐devops-­‐principles-­‐to-­‐security	
  	
  
•  Special	
  Thanks:	
  	
  
– Nick	
  Galbreath,	
  Dan	
  Kaminsky,	
  Marcus	
  Barczak	
  	
  	
  

Contenu connexe

Tendances

Handle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaHandle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaJiangjie Qin
 
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer NetworkSummarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Networkhideyuki komaki
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Agile Scrum Presentation-Detailed
Agile Scrum Presentation-DetailedAgile Scrum Presentation-Detailed
Agile Scrum Presentation-DetailedPrashaanth T R
 
Introduction To Agile
Introduction To AgileIntroduction To Agile
Introduction To Agilevineet
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) - Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) - Shashi Kumar
 
Introduction to Scrum.ppt
Introduction to Scrum.pptIntroduction to Scrum.ppt
Introduction to Scrum.pptMohan Late
 
Software Engineering (Project Scheduling)
Software Engineering (Project Scheduling)Software Engineering (Project Scheduling)
Software Engineering (Project Scheduling)ShudipPal
 
Boehm Software Quality Model
Boehm Software Quality ModelBoehm Software Quality Model
Boehm Software Quality ModelProfessional QA
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMI
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMIEvolving role of Software,Legacy software,CASE tools,Process Models,CMMI
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMInimmik4u
 
High Concurrency Architecture at TIKI
High Concurrency Architecture at TIKIHigh Concurrency Architecture at TIKI
High Concurrency Architecture at TIKINghia Minh
 
Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Gwen (Chen) Shapira
 
Retrospective - the most ignored event in Scrum
Retrospective - the most ignored event in ScrumRetrospective - the most ignored event in Scrum
Retrospective - the most ignored event in ScrumSanjay Saini
 

Tendances (20)

Story Points
Story PointsStory Points
Story Points
 
Handle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaHandle Large Messages In Apache Kafka
Handle Large Messages In Apache Kafka
 
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer NetworkSummarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Agile Scrum Presentation-Detailed
Agile Scrum Presentation-DetailedAgile Scrum Presentation-Detailed
Agile Scrum Presentation-Detailed
 
Introduction To Agile
Introduction To AgileIntroduction To Agile
Introduction To Agile
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Agile
Agile Agile
Agile
 
Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) - Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) -
 
Introduction to Scrum.ppt
Introduction to Scrum.pptIntroduction to Scrum.ppt
Introduction to Scrum.ppt
 
Software Engineering (Project Scheduling)
Software Engineering (Project Scheduling)Software Engineering (Project Scheduling)
Software Engineering (Project Scheduling)
 
Boehm Software Quality Model
Boehm Software Quality ModelBoehm Software Quality Model
Boehm Software Quality Model
 
Waterfall Model
Waterfall ModelWaterfall Model
Waterfall Model
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization
 
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMI
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMIEvolving role of Software,Legacy software,CASE tools,Process Models,CMMI
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMI
 
High Concurrency Architecture at TIKI
High Concurrency Architecture at TIKIHigh Concurrency Architecture at TIKI
High Concurrency Architecture at TIKI
 
Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Retrospective - the most ignored event in Scrum
Retrospective - the most ignored event in ScrumRetrospective - the most ignored event in Scrum
Retrospective - the most ignored event in Scrum
 

En vedette

DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing  with Devops - OWASP EU 2014Continuous Security Testing  with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Architecting for Change: QCONNYC 2012
Architecting for Change: QCONNYC 2012Architecting for Change: QCONNYC 2012
Architecting for Change: QCONNYC 2012Kellan
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks   v1.0 - owasp app sec eu - june 2016Using jira to manage risks   v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Application Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery WorldApplication Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery WorldJames Wickett
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 

En vedette (20)

DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing  with Devops - OWASP EU 2014Continuous Security Testing  with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Architecting for Change: QCONNYC 2012
Architecting for Change: QCONNYC 2012Architecting for Change: QCONNYC 2012
Architecting for Change: QCONNYC 2012
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks   v1.0 - owasp app sec eu - june 2016Using jira to manage risks   v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Application Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery WorldApplication Security Epistemology in a Continuous Delivery World
Application Security Epistemology in a Continuous Delivery World
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 

Similaire à Effective approaches to web application security

Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hostingshendison
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Eoin Keary
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 

Similaire à Effective approaches to web application security (20)

Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Confidence web
Confidence webConfidence web
Confidence web
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 

Dernier

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Dernier (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

Effective approaches to web application security

  • 1. Effec%ve  Approaches  to  Web   Applica%on  Security       zane@signalsciences.com     @zanelackey  
  • 2. Who  am  I?     •  Co-­‐Founder  /  CSO  at  Signal  Sciences   •  Built  and  led  the  Etsy  Security  Team   •  Prior  to  that,  offensive  research  and   penetra%on  tes%ng  @  iSEC  Partners        
  • 3. About  this  talk         Real  world  approaches  to  web  applica%on   security  challenges      
  • 4. About  this  talk         Specifically,  techniques  that  are  simple  and   effec*ve      
  • 6. <-­‐  What  it   (hopefully)   isn’t    
  • 7.     Three  words:  iterate,  iterate,  iterate  
  • 9.     Etsy  pushes  to  produc%on  30  *mes  a  day  on   average    
  • 10.                                                                        (dogs  push  too)    
  • 11.     But  doesn’t  the  rapid   rate  of  change  mean   things  are  less   secure?!  
  • 12. Actually,  the  opposite  is   true  
  • 13.     Being  able  to  deploy  quick  is  our  #1  security   feature      
  • 14. Compared  to       We’ll  rush  that  security  fix.    It  will  go  out  …  in   about  6  weeks.     -­‐  Former  vendor  at  Etsy  
  • 15. What  it  boils  down  to   (spoiler  alert)     •  Make  things  safe  by  default   •  Detect  risky  func%onality  /  Focus  your  efforts     •  Automate  as  much  as  you  can   •  Know  when  the  house  is  burning  down        
  • 16.     Safe  by  default  
  • 17.     How  have  the  tradi%onal  defenses  for  XSS   worked  out?        
  • 19. Safe  by  default   •  Problems?     –  OZen  done  on  a  per-­‐input  basis   •  Easy  to  miss  an  input  or  output     –  May  use  defenses  in  wrong  context   •  Input  valida%on  paern  may  block  full  HTML  injec%on,  but   not  injec%ng  inside  JS   –  May  put  defenses  on  the  client  side  in  JS   –  Etc  …   These  problems  miss  the  point  
  • 20. Safe  by  default   •  The  real  problem  is  that  it’s  hard  to  find  where   protec%ons  have  been  missed         •  How  can  we  change  our  approach  to  make  it   simpler?    
  • 21. Safe  by  default       Input  valida%on   Output  encoding  
  • 22. Safe  by  default       Input  valida%on   Output  encoding  
  • 23. Safe  by  default     Encode  dangerous  HTML  characters  to  HTML   en%%es  at  the  very  start  of  your  framework       To  repeat…  Before  input  reaches  main   applica%on  code    
  • 24. Safe  by  default         On  the  surface  this  doesn’t  seem  like  much  of  a   change  
  • 25. Safe  by  default         Except,  we’ve  just  made  lots  of  XSS  problems   grep-­‐able  
  • 27. Safe  by  default   Now  we  look  for  a  small  number  of  paerns:   •  HTML  en%ty  decoding  func%ons  or  explicit  string   replacements   •  Data  in  formats  that  won’t  be  sani%zed     –  Ex:  Base64  encoded,  double  URL  encoded,  etc   •  Code  that  opts  out  of  plaeorm  protec%ons  
  • 28. Safe  by  default   Fundamentally  shiZs  us:    From:  “Where  is  my  app  missing  protec%ons?”   (hard)                    To:  “Where  is  it  made  deliberately  unsafe?”   (easy)    
  • 29. Safe  by  default   Obviously  not  a  panacea     – DOM  based  XSS     – Javascript:  URLs   – Can  be  a  pain  during  interna%onaliza%on  efforts  
  • 30.     Focus  your  efforts  
  • 31. Focus  your  efforts     •  Con%nuous  deployment  means  code  ships  fast   •  Things  will  go  out  the  door  before  security   team  knows  about  them   •  How  can  we  detect  high  risk  func%onality?  
  • 32. Detect  risky  func%onality   •  Know  when  sensi%ve  por%ons  of  the  codebase   have  been  modified     •  Build  automa%c  change  aler%ng  on  the   codebase   – Iden%fy  sensi%ve  por%ons  of  the  codebase     – Create  automa%c  aler%ng  on  modifica%ons    
  • 33. Detect  risky  func%onality   •  Doesn’t  have  to  be  complex  to  be  effec%ve   •  Approach:     – sha1sum  sensi%ve  plaeorm  level  files   – Unit  tests  alert  if  hash  of  the  file  changes   – No%fies  security  team  on  changes,  drives  code   review  
  • 34. Detect  risky  func%onality   •  At  the  plaeorm  level,  watching  for  changes  to   site-­‐wide  sensi%ve  func%onality     – CSRF  defenses   – Session  management     – Encryp%on  wrappers   – Login/Authen%ca%on   – Etc  
  • 35. Detect  risky  func%onality   •  At  the  feature  level,  watching  for  changes  to   specific  sensi%ve  methods   •  Iden%fying  these  methods  is  part  of  ini%al   code  review/pen  test  of  new  features  
  • 36. Detect  risky  func%onality   •  Watch  for  dangerous  func%ons     •  Usual  candidates:   – File  system  opera%ons   – Process  execu%on/control   – Encryp%on  /  Hashing   – Etc  
  • 37. Detect  risky  func%onality   •  Unit  tests  watch  codebase  for  dangerous   func%ons     – Split  into  separate  high  risk/low  risk  lists   •  Alerts  are  emailed  to  the  appsec  team,  drive   code  reviews      
  • 38. Detect  risky  func%onality   •  Find  out  about  unused  but  reachable  pages   •  Any  files  s%ll  reachable  but  barely  requested   are  probably  old  or  “temporary”  code   – aka  a  goldmine  of  vulnerabili%es    
  • 39. Detect  risky  func%onality   1.  Walk  DocumentRoot,  build  list  of  files     2.  Compare  each  file  against  access  log   3.  Alert  on  any  files  accessed  <  X  %mes  in  last  30   days   Iden%fied  files  are  worth  a  manual  review,  can   likely  be  removed  en%rely  
  • 40. Detect  risky  func%onality   •  Monitor  applica%on  traffic   •  Purpose  is  twofold:   – Detec%ng  risky  func%onality  that  was  missed  by   earlier  processes     – Groundwork  for  aack  detec%on  and  verifica%on    
  • 41. Detect  risky  func%onality   •  Regex  incoming  requests  at  the  framework   – Sounds  like  performance  nightmare,  shockingly   isn’t     •  Look  for  HTML/JS  in  request     – This  creates  a  huge  number  of  false  posi%ves   •  That’s  by  design,  we  refine  the  search  later  
  • 42. Detect  risky  func%onality   •  We  deliberately  want  to  cast  a  wide  net  to  see   HTML  entering  the  applica%on     •  From  there,  build  a  baseline  of  HTML     – Entering  the  applica%on  in  aggregate     – Received  by  specific  endpoints  
  • 43. Detect  risky  func%onality   What  to  watch  for:   – Did  a  new  endpoint  suddenly  show  up?     •  A  new  risky  feature  might’ve  just  shipped   – Did  the  amount  of  traffic  containing  HTML  just   significantly  go  up?     •  Worth  inves%ga%ng    
  • 44. Detect  risky  func%onality     Aggregate  increased,  %me  to  inves%gate  
  • 45.     Automate  as  much  as  you  can  
  • 46. Automate  as  much  as  you  can   •  Automate  finding  simple  issues  to  free  up   resources  for  more  complex  tasks   •  Use  aacker  traffic  to  automa%cally  drive   tes%ng     •  We  call  it  A<ack  Driven  Tes@ng  
  • 47. Automate  as  much  as  you  can   •  Some  cases  where  this  is  useful:   – Applica%on  faults     – Reflected  XSS   – SQLi    
  • 48. Automate  as  much  as  you  can   •  Applica%on  faults  (HTTP  5xx  errors)   •  As  an  aacker,  these  are  one  of  the  first  signs   of  weakness  in  an  app   – As  a  defender,  pay  aen%on  to  them!  
  • 49. Automate  as  much  as  you  can   •  Just  watching  for  5xx  errors  results  in  a  lot  of   ephemeral  issues  that  don’t  reproduce   •  Instead:   – Grab  last  X  hours  worth  of  5xx  errors  from  access   logs   – Replay  the  original  request   – Alert  on  any  requests  which  s%ll  return  a  5xx  
  • 50. Automate  as  much  as  you  can   •  Cron  this  script  to  run  every  few  hours   •  If  a  request  s%ll  triggers  an  applica%on  fault   hours  later,  it’s  worth  inves%ga%ng    
  • 51. Automate  as  much  as  you  can   •  Similar  methodology  for  verifying  reflected   XSS   •  For  reflected  XSS  we:   – Iden%fy  requests  containing  basic  XSS  payloads   – Replay  the  request     – Alert  if  the  XSS  payload  executed    
  • 52. Automate  as  much  as  you  can   •  Basic  payloads  commonly  used  in  tes%ng  for   XSS:   – alert()   – document.write()   – unescape()   – String.fromCharCode()     – etc  
  • 53. Automate  as  much  as  you  can         We  created  a  tool  to  use  NodeJS  as  a  headless   browser  for  verifica%on  
  • 54. Automate  as  much  as  you  can   Test  webserver   1.  Fetch  URL  containing  poten%al  XSS  
  • 55. Automate  as  much  as  you  can   Test  webserver   2.  Page  contents  returned   to  a  temp  buffer,  not   interpreted  yet      
  • 56. Automate  as  much  as  you  can   Test  webserver   3.  Inject  our  instrumented  JS  into  page  contents   +   Our  JS   Page  contents  
  • 57. Automate  as  much  as  you  can   Test  webserver   4.  Combina%on  of  instrumented  JS  +  page   contents  interpreted     +   Our  JS   Page  contents  
  • 58. Automate  as  much  as  you  can   Test  webserver   5.  If  instrumented  JS  is  executed,  alert   appsec  team  for  review  
  • 59. Automate  as  much  as  you  can   •  Sample  instrumented  JS:   (function() { var proxiedAlert = window.alert; window.alert = function() { location="XSSDETECTED"; }; })();
  • 60. Automate  as  much  as  you  can   •  Open  sourced  NodeJS  tool     – hps://github.com/zanelackey/projects     •  Combine  this  approach  with  driving  a  browser   via  Wa%r/Selenium   – Make  sure  to  use  all  major  browsers    
  • 61.     Know  when  the  house  is   burning  down  
  • 62. Know  when  the  house  is  burning  down             Graph  early,  graph  oCen      
  • 63. Know  when  the  house  is  burning  down             Which  of  these  is  a  quicker  way  to  spot  a   problem?      
  • 64. Know  when  the  house  is  burning  down      
  • 65. Know  when  the  house  is  burning  down      
  • 66. Know  when  the  house  is  burning  down       •  Methodology:   – Instrument  applica%on  to  collect  data  points   – Fire  them  off  to  an  aggrega%on  backend     – Build  individual  graphs   – Combine  groups  of  graphs  into  dashboards   •  We’ve  open  sourced  our  instrumenta%on   library   – hps://github.com/etsy/statsd    
  • 67. Know  when  the  house  is  burning  down      
  • 68. Know  when  the  house  is  burning  down      
  • 69. Know  when  the  house  is  burning  down      
  • 70. Know  when  the  house  is  burning  down      
  • 71. Know  when  the  house  is  burning  down             Now  we  can  visually  spot  aacks    
  • 72. Know  when  the  house  is  burning  down             But  who’s  watching  at  4AM?    
  • 73. Know  when  the  house  is  burning  down       •  In  addi%on  to  data  visualiza%ons,  we  need   automa%c  aler%ng     •  Look  at  the  raw  data  to  see  if  it  exceeds   certain  thresholds   •  Works  well  for  graphs  like  this…  
  • 74. Know  when  the  house  is  burning  down      
  • 75. Know  when  the  house  is  burning  down             But  not  like  this…    
  • 76. Know  when  the  house  is  burning  down      
  • 77. Know  when  the  house  is  burning  down       •  We  need  to  smooth  out  graphs  that  follow   usage  paerns   •  Use  exponen%al  smoothing  formulas  like  Holt-­‐ Winters     •  Math  is  hard,  let’s  look  at  screenshots!    
  • 78. Know  when  the  house  is  burning  down    
  • 79. Know  when  the  house  is  burning  down       •  Now  that  we’ve  smoothed  out  the  graphs…   •  Use  the  same  approach  as  before:   – Grab  the  raw  data   – Look  for  values  above/below  a  set  threshold     – Alert    
  • 80. Know  when  the  house  is  burning  down             Have  the  ability  to  quickly/easily  correlate   events  
  • 81. Know  when  the  house  is  burning  down       •  Global  Request  IDs   <?php   global  $request_uuid;   apache_note(’request_uuid',  $request_uuid);  
  • 82. Know  when  the  house  is  burning  down         [01/Aug/2012:16:37:41  +0000]  "GET  /members/twokb/payments   HTTP/1.1"  200  "hps://XXX/members/twokb"  "Mozilla/5.0  (Windows   NT  6.1;  WOW64)  AppleWebKit/536.11  (KHTML,  like  Gecko)  Chrome/ 20.0.1132.57  Safari/536.11"  MF9JqDVpY93VOMreyvI2UC24wRjT   [Wed  Aug  01  16:37:41  2012]  [MF9JqDVpY93VOMreyvI2UC24wRjT]   [info]  [XXX]  [kbarry]  about  to  call  shop_get_data  for  shop:  [5971709]   [Wed  Aug  01  16:37:41  2012]  [MF9JqDVpY93VOMreyvI2UC24wRjT]   [info]  [XXX_audit]  [kbarry]    ac%on="view_payments"  staff="kbarry"   user_id="5597626"  sec%on="payment_info"  
  • 83. Know  when  the  house  is  burning  down             Alert  on  events  that  (should)  never  happen    
  • 84. Know  when  the  house  is  burning  down             Successful  aacks  don’t  happen  in  a  vacuum!   They  generate  signals    
  • 85. Know  when  the  house  is  burning  down       1.  Iden%fy  the  signals  associated  with  a   vulnerability  class   2.  Alert  when  a  signal  occurs   3.  Fix  the  iden%fied  weaknesses    
  • 86. Know  when  the  house  is  burning  down             Two  examples:  SQLi  and  code  execu%on      
  • 87. Know  when  the  house  is  burning  down       •  The  road  to  exploited  SQLi  is  liered  with   broken  queries       1.  Watch  the  logs  for  SQL  syntax  errors   2.  Alert  when  they  appear   3.  Fix  the  lack  of  valida%on  allowing  the  error    
  • 88. Know  when  the  house  is  burning  down       •  Further  along  the  aack  process,  a  SQLi  aack   looks  like…  your  database   •  Sensi%ve  DB  table  names  shouldn’t  be   showing  up  in  requests   – Alert  if  they  do!     •  aka  the  “Two  hours  un%l  the  db  is  up  on  pastebin”  alert    
  • 89. Know  when  the  house  is  burning  down             A  funny  story  about  a  code  execu%on  vuln…    
  • 90. Know  when  the  house  is  burning  down       •  preg_replace()  in  PHP  has  an  interes%ng   modifier     “e  (PREG_REPLACE_EVAL)  If  this  modifier  is  set,   preg_replace()  does  normal  subs%tu%on  of   backreferences  in  the  replacement  string,     evaluates  it  as  PHP  code,  and  uses  the  result  for   replacing  the  search  string.  “  
  • 91. Know  when  the  house  is  burning  down       •  preg_replace()  in  PHP  has  an  interes%ng   modifier     “e  (PREG_REPLACE_EVAL)  If  this  modifier  is  set,   preg_replace()  does  normal  subs%tu%on  of   backreferences  in  the  replacement  string,   evaluates  it  as  PHP  code,  and  uses  the  result  for   replacing  the  search  string.”  
  • 92. Know  when  the  house  is  burning  down             What  do  the  signals  for  this  look  like?        
  • 93. Know  when  the  house  is  burning  down      
  • 94. Know  when  the  house  is  burning  down             You  can’t  fix  what  you’re  not  aler%ng  on      
  • 97.       Have  the  ability  to  deploy/respond  quickly      
  • 98. •  Make  things  safe  by  default   •  Focus  your  efforts  /  Detect  risky  func%onality   •  Automate  as  much  as  you  can   •  Know  when  the  house  is  burning  down    
  • 99. Thanks!   zane@signalsciences.com                    @zanelackey    
  • 100. References  /  Thanks   •  DevOpsSec:   hp://www.slideshare.net/nickgsuperstar/ devopssec-­‐apply-­‐devops-­‐principles-­‐to-­‐security     •  Special  Thanks:     – Nick  Galbreath,  Dan  Kaminsky,  Marcus  Barczak